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Introduction 


1. 


The Information Commissioner's Office (ICO) is pleased to respond to the 
Scottish Government’s consultation on Scottish Charity Law. 


The ICO has responsibility for, amongst other things, promoting and 
enforcing the EU General Data Protection Regulation (GDPR) and the UK 
Data Protection Act 2018 (DPA 2018). 


The ICO is independent of government and upholds information rights in the 
public interest, promoting openness by public bodies and data privacy for 
individuals. The ICO does this by providing guidance to individuals and 
organisations, solving problems where we can, and taking appropriate action 
where the law is broken. 


Data protection legislation protects individuals’ personal data rights. When 
personal data is lost, stolen or shared or used inappropriately it can lead to 
harm, distress and negative impacts on personal rights and freedoms. 


In our response to this consultation we first set out some general points 
about the requirement to consult with the ICO, privacy by design and data 
protection impact assessments. We then provide our more detailed response 
to Sections 1 & 2 of the consultation. We have grouped our responses to the 
consultation questions to avoid repetition. 


Consultation with the ICO 


6. 
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Article 36(4) of the GDPR requires the Scottish Government to consult with 
the ICO when developing proposals for legislation to be passed by the 
Scottish Parliament, or regulatory measures based on such legislation, 
relating to the processing of personal data. This includes: 


i. primary and secondary legislation; 

ii. regulatory measures (such as regulations, directions and orders) made 
under primary or secondary legislation; 

iii. statutory codes of practice; and 

iv. statutory guidance. 
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Consultation under Article 36(4) should take place directly with the ICO and 
apart from any public consultation. 


We look forward to the Scottish Government consulting further with us as 
proposals develop. 


Privacy by Design 


9, 


10. 


11. 


12. 


13. 


The European Convention on Human Rights, Article 8 sets out the right to 
respect for private and family life. Protecting Article 8 rights as far as 
possible and ensuring that there is no interference with these rights except 
in circumstances when the conditions set out under Article 8 are met must 
be central to the reform of charity law in Scotland. 


The GDPR and the DPA 2018 protect individual’s rights when it comes to the 
processing of personal data. 


To ensure these rights are protected a privacy by design approach to reform 
would be helpful. Article 25 of the GDPR requires that data controllers 
implement data protection by design and default. This means considering 
privacy and data protection issues at the design phase of any system, 
service, product or process and in this case, regulatory system and only 
processing the data that is necessary to achieve the specific purpose of the 
processing. 


Taking a privacy by design approach to legislative development will help 
ensure that OSCR is able to comply with its Article 25 obligations in 
implementing the legislation and using any new powers. 


We therefore encourage the Scottish Government to take a clearer data 
protection by design and default approach to reform of charity regulation in 
Scotland. We recommend that the Scottish Government revisit the aims and 
objectives of the proposed reforms, considering whether there are other less 
intrusive options available that will achieve the same objectives. 


Data Protection Impact Assessment 


14. 


A Data Protection Impact Assessment (DPIA) allows for the systematic 
consideration of proposed processing of personal data. A DPIA sets out the 
nature, scope and purposes of the proposed processing and assess the 
necessity and proportionality. It helps identify the likely impact on the rights 


V1.0 Final 1 April 2019 


1CO. 


Information Commissioner's Office 


15. 


16. 


17. 


18. 


19. 


and freedoms of individuals involved and how risks can be managed and 
mitigated. 


A DPIA is a useful tool for assessing the risks associated with different 
legislative proposals that involve the processing of personal data. 
Completing a DPIA will help the Scottish Government identify less intrusive, 
lower risk processing options, prepare a comprehensive impact assessment 
of the policy proposals to present alongside a future bill and will also assist 
OSCR in meeting its data protection obligations. 


The ICO recommends that a DPIA is undertaken in situations where there is: 
processing of sensitive data or data of a highly personal nature; processing 
on a large scale and processing that involves preventing data subjects from 
exercising a right or using a service or contract (see our full list of criteria 
here). 


There is a specific legal obligation on controllers to undertake a DPIA where 
proposed processing is likely to result in a high risk to the rights and 
freedoms of individuals the GDPR (Article 35). Where such a risk cannot be 
mitigated, the data controller must consult with the ICO prior to processing 
commencing. 


Given that some of the proposals for publication of personal data on internal 
and external databases will meet some of the criteria in paragraph 16, we 
strongly encourage the Scottish Government to conduct a DPIA as part of 
the options appraisal and legislative development process. 


It also worth noting the particular risk presented by the use of publically 
available online databases (as proposed in this consultation). Where 
personal data is published on a public database with no restrictions on 
access the Scottish Government should consider that this data will be 
available both to recipients to whom the GDPR does not apply and an 
indefinite number of individuals. Proposals involving a public, online 
database therefore represent a restricted transfer of personal data to 
countries outside the EEA under GDPR. This is only lawful in certain 
circumstances and when certain protections are in place OSCR, in 
implementing such a register, would have to give careful consideration as to 
how to ensure compliance with Article 25 and Articles 44-49 (governing 
international transfers) of the GDPR. 
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Our response to Section 1: Publishing annual reports and 
accounts in full for all charities on the Scottish Charity 
Register 


20. 


21. 


22. 


23. 


Annual reports and accounts are likely to contain personal data relating to, 
trustees, staff, donors and beneficiaries. Some of this may be special 
category data or, data from which special category data can be inferred with 
some degree of certainty. For example, if a mental health charity names or 
identifies beneficiaries in their annual report it may be possible to infer with 
reasonable certainty that these individuals suffer from a specific mental 
health condition. To process special category data OSCR will need to be able 
to rely on an Article 9 (GDPR) condition to process this data. 


The Scottish Government should consider what kind of risks blanket, online 
(see paragraph 19) publication could present, particularly to vulnerable 
individuals identified in these reports. The Scottish Government should then 
consider whether it is necessary and proportionate to infringe these 
individuals Article 8 rights and be exposed to these risks in order to achieve 
the stated objective to improve public trust in charities whilst not avoiding 
placing an unreasonable administrative burden on OSCR. 


Our view is that the evidence and analysis presented in the consultation 
paper does not make a strong enough case. 


Alternative less intrusive options that may more appropriately balance the 
legitimate interests of members of the public with the Article 8 rights of 
those identified in the reports could include: 


o Adopting a targeted rather than blanket approach. For example, it may 
be appropriate to publish in full the reports of charities subject to 
Freedom of Information or charities over a certain size. Expectation will 
be a useful barometer here. Would trustees involved in a certain charity 
reasonably expect for their name and personal details to be in the public 
domain or not? A trustee of a large, national charity with a contract to 
deliver a public service may well reasonably expect their name to be 
published publically whereas a trustee of a small community based 
charity may not. Similarly a Trustee of a charity which is also registered 
with Companies House and whose Trustees appear on that register 
could reasonably expect to be identified. 


V1.0 Final 1 April 2019 


1CO. 


Information Commissioner's Office 


o Attaching a stamp to the published report or accounts or to the charity’s 
entry in the register indicating that OSCR has seen and verified the 
unredacted accounts in full or publishing a statement to that effect. 


o Requiring registered charities to provide to two copies of their annual 
reports and accounts to OSCR, one with personal information redacted 
for publication and the other in full for OSCR’s internal use only. 


o And/or issuing guidance to charities on drafting annual reports and 
accounts in such a way that personal data is minimised to only that 
which is absolutely necessary, reducing the administrative burden on 
the charity and/or OSCR when it comes to redaction. 


24. The consultation notes that charity regulators elsewhere in the UK have the 
power to publish annual reports and accounts in full. While this may be the 
case, the Scottish Government must satisfy itself that taking a similar 
approach is necessary and proportionate and that no less intrusive options 
would achieve the same objective. 


Our response to Section 2: An internal database and 
external register of charity trustees 


Internal database 


25. The ICO has previously provided advice to OSCR on the establishment of an 
internal Trustee register which would include the information identified in 
this consultation. 


26. Our advice (issued in 2017) provided some guidance on when the ‘public 
task’ basis, Article 6(1)(e), can be relied upon as the lawful basis of 
establishing an internal database of trustees in the absence of a legislative 
power. We advised that OSCR should be able to demonstrate there was no 
other reasonable and less obtrusive way of fulfilling the purpose and to carry 
out a DPIA to assess the compliance of the proposed processing. 


27. The proposal in this consultation is to legally require OSCR to establish both 
an internal and external trustee register. 


28. A legal obligation to establish an internal trustee database would provide 
OSCR with a clear legal gateway for processing under the GDPR however the 
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Scottish Government should still satisfy itself that this processing is 
necessary and proportionate for more effective regulation. 


External register 


29. As outlined above there are significant risks associated with the 
establishment of a freely, accessible external trustee register (we have 
assumed that the proposed register will be an online database much like the 
current Scottish Charity Register, although this is not specified in the 
consultation) and in particular the proposal to publish of the names of 
removed trustees. We detail some of these concerns below: 


o Vulnerable individuals: depending on the nature of the charity and the 
personal circumstances of the trustee there are will be a number of 
scenarios in which publication of their details may place certain trustees at 
risk or result in physical or mental harm. 


o Publishing details of removed trustees: Trustees may be removed by the 
Court of Session where there has been misconduct under Section 69 of the 
Charities and Trustees (Scotland) Act 2005. Misconduct could be criminal in 
nature or could relate to mismanagement or bankruptcy. This is sensitive 
information that could be used to infringe the rights and freedoms of the 
named trustees now and in the future. Once published OSCR will have no 
control over how this information will be used. For example, future 
employers could use this information to vet potential employees. 


o The Right to be Forgotten: Currently in Scotland anyone convicted of a 
criminal offence of less than two and a half years can be regarded as 
rehabilitated after specified period of time and do not have to disclose their 
offending history (the Management of Offenders (Scotland) Bill will reduce 
these time periods further). There appears however, to be no equivalent to 
rehabilitation for removed trustees. This means that the names of removed 
trustees could be on the internal database and external register in 
perpetuity unless a retention period for that data is specified. The Scottish 
Government may wish to consider what a reasonable period for the names 
of removed trustees to remain on the database might be. Within the 
teaching profession, for example, where a teacher has been removed from 
the General Teaching Council for Scotland Register as a result of a fitness 
to teach decision, this information is only displayed for a period of two 
years. The judgement of the Court of Justice of the EU in the case of 
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Google Spain! which found in favour of the complaints ‘right to be 
forgotten’ is also useful in this regard as it highlights that even initially 
lawful processing of accurate data may, in the course of time, become 
incompatible with data protection legislation. 


Criminal convictions: Article 10 of the GDPR allows for the processing of 
personal data relating to criminal convictions criminal only under the 
control of an official authority or when authorised by law and where there 
are appropriate safeguards for the rights and freedoms of the data 
subjects. While publishing the names of removed trustees does not involve 
directly processing criminal conviction data the Scottish Government should 
consider to what degree of certainty those accessing the database may be 
able to infer that a removed trustee has a criminal conviction and therefore 
whether OSCR will require an Article 10 condition for processing. 


o Adequacy and accuracy: The Scottish Government should consider how 


accurate and complete such a register would be and therefore to what 
extent OSCR would be able to comply with Article 5 (1)(c) and (d)of the 
GDPR in implementing it. What processes would be in place to review and 
update the register? 


o Article 13-19 Rights: OSCR will have an obligation to under data protection 


law to ensure that individuals Article 13-21 rights (the Right to be 
informed, Right of access, Right to rectification, Right to erasure, Right to 
restrict processing, Right to data portability and Right to object) are 
complied with. The Scottish Government should bear this in mind when 
developing legislative requirements. 


Identifying the least intrusive solution 


30. The consultation does not clearly set out what the purpose of establishing a 


31. 


public register of trustees is. As a first step we recommend that the Scottish 
Government should ensure there is a clear purpose for this processing 
(Article 5 (1) (b)). 


Identifying a clear purpose will assist the Scottish Government in identifying 
which individuals or entities require access to such a database and which 
categories of personal data it is necessary to provide to different recipients 
need. For example, depending on purpose the information that a lay 


1 http://curia.europa.eu/juris/liste. jsf?num=C-131/12 


V1.0 Final 1 April 2019 


1CO. 


Information Commissioner's Office 


member of the public may require may be very different to that required by 
the board of a charity wishing to vet prospective trustees. 


32. Being clear on these aspects will ultimately assist the Government in 
identifying a proportionate proposal that protects individuals ECHR Article 8 
rights and ensures that OSCR can adequately protect individuals’ personal 
data rights. 


We trust this response is helpful and we look forward to the Scottish Government 
undertaking detailed consultation with us as its proposals develop. Should the 
Scottish Government require clarification of any of the points made, please 
contact us on 0303 123 1115 or by email at scotland@ico.org.uk. 
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